Blogger Long Zheng of Started Something has published a proof-of-concept attack of how to use a script to easily disable the Windows UAC, do to the inherent design flaw that it trusts changes to itself blindly. Microsoft thus far has refused to acknowledge that it needs to fix the problem calling it "by design" and yanking a MSDN blog on the UAC changes. (Source: Started Something)

When Windows Vista was launched, it brought to the table a new feature that was supposed to safeguard the user: the User Account Control (UAC). However, the useful feature, which could be disabled, became the source of a great deal of the OS's early criticism due its warning messages which some users found irritating.

With Windows 7, Microsoft decided to switch gears and is offering a less nosey UAC in the beta version of the OS. This move was the subject to much early praise. However, it may have now backfired as a blogger Long Zheng, who runs the blog Start Something, has detailed a proof-of-concept attack against the new Windows 7 UAC.

Mr. Zheng says the attack is a vindication of Windows Vista, and evidence that the new Windows 7 approach, while more pleasing to some, is inherently insecure. He states, "This is dedicated to every ignorant ‘tech journalist’ who cried wolf about UAC in Windows Vista. A change to User Account Control (UAC) in Windows 7 (beta) to make it ‘less annoying’ inadvertently clears the path for a simple but ingenious override that renders UAC disabled without user interaction. For the security conscious, a workaround is also provided at the end. First and foremost, I want to clear up two things."

The flaw, which he calls "blatantly simple" to fix, was raised to his attention by a "security-minded 'whistleblower.'" Ignored largely by Microsoft in chatter in its Windows 7 beta feedback, the issue may be present in the retail version of Windows 7 and has been known to many for some time.

Normally Windows 7 is set with the options "Notify me only when programs try to make changes to my computer" and "Don’t notify me when I make changes to Windows settings". It uses a security certificate to determine if a program is part of Windows -- in other words, changes in the control panel don't raise warnings as they have a trusted certificate.

The "Achilles heel" as Mr. Zheng describes is that the UAC is a certified program and thus changes to it are also trusted -- even if that change is to disable it. While he admits that he had to "think bad thoughts" to come up with a way of disabling the UAC without directly tricking the user into doing it, he says it wasn't tough. He has posted a proof-of-concept VBScript, which uses keyboard shortcuts to select the UAC and then disable it. The attack works against any user who has administrative permissions (as standard users are prompted for an administrative password when changing the UAC settings).

He elaborates, "We soon realized the implications are even worse than originally thought. You could automate a restart after UAC has been changed, add a program to the user’s startup folder and because UAC is now off, run with full administrative privileges ready to wreak havoc."

He adds, "This is the part where one would usually demand a large sum of money but since I’m feeling generous, there is a simple fix to this problem Microsoft can implement without sacrificing any of the benefits the new UAC model provides."

The fix, he says is to force the UAC into a secure desktop mode, whenever the UAC is changed, regardless of its state. This, he says, while by no means foolproof, will prevent basic attempts. He suggests Microsoft adopt the fix as soon as possible.

Microsoft, however, appears to be relaxed about the topic, as it responded to Mr. Zheng that the flaw is "by design", indicating it will not be changed before release. Furthermore, as of this morning it has pulled a MSDN post about the topic which Mr. Zheng linked.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

In, what, NINE years of using Win2000/WinXP logged in 100% of the time as an admin on my home computers, I've had zero problems. So for personal use there appears to be no practical, actual risk. Corporate use is another story, but I'm talking about the OS I use at home.

Absolutely agree with you, I have the same experience. Protecting your computer is pretty much as simple as (a) having a backup drive and (b) not opening random e-mails or downloading things from strange websites. Confirmation of intent doesn't do anything but waste our time with annoying popups, it can't protect users from themselves. If an ignorant user downloads "smileyfacegame.exe", chances are they doing so because they want to run it, and will answer "yes" to the prompt. If it's something that wasn't executed directly by the user, that might be mildly protective provided they know the program is malevolent. But if they don't, they will also click "yes."

It's like trying to prevent ponzi scheme participation by making sure people are always asked twice if they want to join. It wasn't the fact that you didn't ask them twice that made them compromise their investments. It was that they didn't educate themselves and fell for the trick. Thus, UAC is a marketing stunt that makes computers LESS secure by giving people a false sense of security. It is something impotent purporting to protect us, and as such, makes people less vigilant about educating themselves and others. Sound familiar? How many times was the SEC in Madoff's officesand found nothing? 9?

...they're trying to protect people from their own stupidity...which will always fail. Idiots always find a way to prevail.

In a way, I really hate attempts to remove the responsibility for your machine from the user. If you're an idiot user, and you load your machine up with viruses and spyware and whatnot...well, you're an idiot and by the way, no, the nice guy from Nigeria isn't really trying to send you eighty bazillion dollars.

On the other hand...ah, screw it. If you're too stupid to not screw up your computer, then maybe you should just stick to cell phones.

Yeah, and if I wasn't being clear enough, I essentially think the prompting part is what's useless and annoying. Setting up file access/editing privileges on created user accounts, whether you're an OEM or an individual or an IT guy, is fine.

Yeah, the UAC prompts are in a way kind of like taking your laptop out of it's bag and putting your shoes on the belt at the airport. Neither of which do anything (nor does limiting liquids, so on and so forth), but it appears that you're doing "something about the problem."

Mac users are still relatively "safe"... so yes, you CAN protect idiots from themselves. If by idiots we mean people.

Dude, without some basic tools from software providers most of us idiots would be swimming in viruses.

Whether it's Linux, or Windows or whatever... I mean, as an example, I wouldn't run Windows without an Antivirus or without updates. I didn't "create" any of that. They are all things to help me stay protected... and they work really well for the most part. The amazing people that give of their time to make Linux safe... I need them, I need them very much. They are watching out for me not to be utterly at risk when I run Ubuntu... and I like that, I appreciate that.

I'm glad that you absurdly believe that you could be safe online without software (and settings) to protect you. But it's perhaps the most naive stance of anyone. Systems should default to safe, that much is obvious. It shouldn't take a bunch of know how to enable safety... it should take know how (or at least "the intent") to increase the amount of risk.

I'll tell you... Windows users are wising up a little bit. Vista requiring you to click OK when installing something is hardly debilitating. I do worry about Mac users though... they are so unbelievably oblivious to security/virus concerns...

Protect everyone. That's what software companies should believe they have to do. Anything less would be utterly unethical. Yes, us so called experts should believe that "idiots" should be totally safe when using their computers. When I go to the doctor and he prescribes me medication... I don't expect to be called an idiot because the drug was unsafe... I expect it to be safe because ethical people are supposedly at the helm, making sure of it. What do you believe? I believe, protect 100% of users, that includes protecting grandparents, protecting teenagers, protecting businesspeople... everyone.

You are NOT stupid, because you see a deceptive ad while you're browsing the web ... a pop up with pretty graphics that says, "YOU have been selected" you click on it, and you're infected. It is NOT stupid to be a victim of that attack. It is malicious, it is a bad action, it is completely wrong to attack a user that way. Bad people doing bad things... it is up to the ethical expert community to shield the user from bad people. The open source community does it on ethics alone, but Microsoft has a mandate because those "idiots" are paying money for a service (the service being security).

You have no idea what you're talking about. None of your fevered ranting or poor analogies accomplishes anything. UAC prompts don't protect you from machine-compromising exploits, user privilege restrictions do. All a prompt does is ask someone twice whether they want to do what they intended. It's the user's access restrictions that causes malevolent code be impotent.

Mac has miniscule market share, of course it's safer. It's design isn't a factor yet, too few people are using it for hackers to care.

quote: Dude, without some basic tools from software providers most of us idiots would be swimming in viruses.

quote: I expect it to be safe because ethical people are supposedly at the helm, making sure of it. What do you believe? I believe, protect 100% of users, that includes protecting grandparents, protecting teenagers, protecting businesspeople... everyone.

There is no such thing as 100% security, software can't address the latest worms and viruses the second they come out. If you actually believe that or try to convince others of that, you are proving my point. You can't just install some software and proceed to browse and e-mail with reckless abandon, you're going to learn a very hard lesson. People MUST educate themselves with the fundamentals, there is no magic shield you can buy to avoid that.

quote: UAC prompts don't protect you from machine-compromising exploits, user privilege restrictions do. All a prompt does is ask someone twice whether they want to do what they intended. It's the user's access restrictions that causes malevolent code be impotent.

Not sure what you are driving at here. UAC puts the entire machine into user mode which stops both the user and ANY RUNNING SOFTWARE from changing important OS files or settings without the user giving explicit assent.

Yes, this is no where near as safe as locking a machine down in user mode but doing that is impractical for many situations. Yes, if the user foolishly clicks through a UAC prompt without stopping to think it will not help but if the user is not even installing software or making system changes and a prompt comes up they should have the sense to say no, or can be trained to say no - part of "learning the fundamentals" as you say. It's not perfect but it helps.

I'll disagree there. UAC is useless and essentially irrelevant for corporate use: its function is to provide a safety blanket for users logged in as admins. Since corporate users are most definitely not logged in with admin rights (aside from certain IT staff, of course), UAC has no bearing on them. They won't see UAC prompts, they'll just see access denied messages.

UAC is all about home use, and for home use the majority of users should never be logging in as admin. Maybe it's just fine for you, but you (and probably most DT readers) are not the users that UAC is meant to protect. UAC is there to render most malware and viruses inert unless they have an elevation of priv exploit, or if the user ignores the UAC prompt and just clicks OK for everything.

Still, I will assist your point by saying that I am an Administrator on XP at work (very big corporation) and I expect everyone else is here since the setup is standard across the company. However, I have no idea what other companies do and for all I know "Users Group" may be the normal setting.

I've been working in IT for 13 years (Well, it will be 13 years in a couple weeks) and nearly every place I've worked that used anything from Windows NT to Windows XP, the users were generally set up as admins.

Believe me, if I could do it any other way, I would. Unfortunately, we have to run our remote users as admins so they can install local printers, (HP is too stupid to write printer drivers that can install with only power user membership) our helpdesk (for users of our products, not internally, and by far our biggest infection rate of trojans) must run as admins so that they can run the ticketing software and the phone center software, and our development department must run their own domain, that we can't lock down, so that they can test their newly developed software on their test servers.

If I could lock down users, I definitely would. The problem is that programmers don't seem to want to put in the time to make a program that can be run without being local admins. There are also far too many programmers out there who think they can change system files with impunity, which has always been the biggest source of instability in the Windows OS. I actually had one programmer in my last company contact me and ask me to deploy out a single file update (mfc42.dll) to the entire company so he could make his new program work right. (That dufus actually believed I wouldn't protest it!)

As soon as we get some smart programmers in the world, then we'll be able to get rid of things like this.

Oh, right, programmers are human. We aren't going to be able to get rid of the lazy, stupid ones.

Oh, I forgot to mention. the stupid programmers of our help desk ticketing system actually require the users have admin rights to the SQL server in order to run the software! Can you imagine the idiocy??

And our help desk management at the time actually went with this garbage system and paid $2000 per license, and $5000 per management license for this POS software. I'm glad that manager is gone. I just wish the systems admin that approved this move wasn't my boss now.

None of our users run as administrators. I do agree that programmers need to be beat over the head with the need for their programs to function as a user. However we have been able through the use of utilities like Process Monitor from SysInternals to open up only the files and keys needed for the various programs to function. Some programs only require their initial launch as an administrator to setup the necessary files. As a result viruses and malware that get downloaded very rarely do any actual damage (I can't think of one incident in the last 6 months).

Remote sites are taken care of by remote control applications which allow the IT staff to install software and manage them. However painful the connection speed, it is a small price when compared with the labor needed to actually diagnose and repair an infected system. Laptops that absolutely have to have the ability to install devices on the road log in locally and then into AD when returning. The AD account of course does not have admin rights.

The users complained at first but looking at the statistics it is irrefutable that this has been a huge benefit. It takes a lot of testing and effort to get programs to function as a user, but it is well worth the investment. It's a shame that more programmers don't take this issue to heart as this single biggest reason Windows has the security issues it does.

The way to encourage programmers to write software that doesn't require admin rights is to make your programmers run with the same privileges you expect users to have (e.g "power users" or "users").

Yes, developers may need to be able to install software on their machines. For that I give them a second login that gives them local admin rights (but very limited network access, so they can't normally run under that account to do their job). Be sure you're logging changes to permissions, group memberships, etc. If they use the local admin account to upgrade their domain user permissions (e.g. to a local administrator), they can be terminated.

Then, have a QA person or network tech try to install and run any updates from the developers while logged in as a "typical" user in your environment. If it doesn't install or doesn't work, send it back and work with the developers to come up with a solution that doesn't compromise your security.

I'm a developer, and a network admin, and network designer, and security consultant. I've had great success getting management backing to implement the above policies at my clients, regardless of company size. Generally, the most challenging users are executives/owners who are moderately technical, they often want to run as admin for convenience. Most of the time, I can convince them to be a power user (and possibly give them a separate local admin account with restricted network access).

There are challenges:Some third party software requires operating as a local administrator. In this case, we typically set up a shortcut to run that application using "run as" using an account with local administrator privileges. With W2k/XP, there is a third party tool named TQCrunas that you can use to setup a shortcut where the shortcut is a script with an encrypted password so the user doesn't even need to know the account name or password for that local admin account.

TQCrunas can also be used to allow remote users to install their own print drivers and/or printers.

Programs that attempt to update themselves:You can push updates via WSUS, and/or the Windows login script, and or from a script on the server, and/or use run as/tqcrunas for the installer/updater, and/or allow write permissions on that specific program directory (but not a Windows system directory), and/or install an updater service on the workstation.

I've encountered very few situations that actually require the user to run as an administrator. It's not hard to set up, but it does require some research, planning, and testing.

We use a similar program from FullArmor called Intellipolicy, that is configured with AD Group Policy to promote apps to admin for any user. They discontinued the program though, because this can be done natively in Vista.

I've never worked at a medium to large business that allows local admin rights to the masses. Personally I have it, as I am a programmer that requires certain admin rights, but I am certainly not the majority. A standard Vista/7 user can also do a lot more than under XP.

I work for a large company and this is 100% correct. All our laptops run WinXP and users have full administrative rights. There are official guidelines as to what we are allowed to install, but the only things actually controlled by IT are certain Windows updates (like SP3 and IE7).

Corporate users are not logged in with admin rights in any corporation where the IT department is doing its job, and definitely not in any company that's able to pass compliance audits (for PCI, FISMA, HIPAA, etc etc).

I have never worked at a business that allowed admin rights for the masses. My current employer (small corporation, approximately 800 employees and 40 offices) doesn't even give admin rights to many people in the IT staff.

Sorry but IT departments do not set policy in large corporations. 800 users isn't large, thats medium sized. I'm speaking from experience and through conversations I've had with IT professionals at other large corporations. All of these companies possess >5000 users. In companies this large, politics dictates policy, and Local Admin without having to get IT to install software, etc.... is required otherwise they simply fire the IT management and replace it with one that will do it. IT is a Cost Center, not a Profit Center, and thus we do not get to dicatate, security be damned.

Giving users admin rights to install their own software does not cut IT costs, it inflates them. This is just another failure by IT to do their jobs - in this case, they failed at the task of giving management the information they need (in a way they understand) to make financially sound decisions.

Also, have you or the IT professionals you've conversed with not worked for companies that have had to deal with standards like the PCI DSS or FISMA? Politics dictate policy, like you said, and money dictates politics. Where money is concerned, not much can have a greater impact than a failed PCI audit.

Maybe security is just handled better up here in Canada than in the US. The US does have an abysmal reputation for cyber-security at the federal level, but I've never seen any kind of comparison between the security postures of private industry in Canada vs America.

quote: Also, have you or the IT professionals you've conversed with not worked for companies that have had to deal with standards like the PCI DSS or FISMA?

FISMA applies to jobs I've had in classified environments, in which case your argument is valid. My original post specifically outlined unclassified workspaces/networks.

PCI DSS applies to credit cards. None of the companies I've worked at has ever bothered dealing with credit cards. We aren't running point of sale systems, were trillion dollar companies that do business by the millions/billions.

quote: This is just another failure by IT to do their jobs - in this case, they failed at the task of giving management the information they need (in a way they understand) to make financially sound decisions.

Your assuming IT is in a position to make such a policy stick. When a major profit center in the company is complaining that they can't run System A or its costing them additional overhead because IT implemented policy B, you will see executives strike it down in short order. Profit Centers are elevated above all else. The lax security is simply considered a "cost of doing business" at many companies. Additional security is piled on to make sure a compromised system can't do damage to the rest of the network, but that one will be in for a reimage in short order.

quote: Giving users admin rights to install their own software does not cut IT costs, it inflates them.

That is IT's problem, not the business profit centers problem. It doesn't balance out from a top down view overall, but this is how it is viewed in many companies. Let IT pay for it with their own budget. Welcome to corporate america.

Wow... just wow. That's terrible. I work for state govt. (albeit a small dept) and we have the users locked down pretty tightly. I can't imagine working in a "Wild West" IT environment, where I have no idea what is installed and what damage an "admin" has done to his PC.

Smaller environments can get away with tighter controls and restrictions from IT without too much hassle. But when your managing 5000 or 50,000 users, it becomes a nightmare in overhead to babysit them. This isn't IT's fault, this is the fault of convenience. No IT manager is going to do battle with corporate executives who want convenience over security.

I definitely see your point, but it's sad to know that most execs would rather throw away money paying IT to put out fires all day, rather than focus on higher level services. It's much easier to babysit when he's in the playpen, not tearing around the living room in his walker.

every company i've worked has made ALL domain users local admin for ALL PCs. it makes for great fun! place a file named "AllTimeFavoritePorn.htm" in their documents folder and wait for the 'WTF's to flow! put a job in their task scheduler to open a word document with fake departmental salary information and hilarity ensues. even better, change folder permissions and lock them out of their own files. change 'em back right after they call for support. good times -- good times! 8^)